Cloud computing model has created a greater challenge for IT Security professionals

Cloud computing model has created a greater challenge for IT Security professionals. In this article I am exploring various aspects of today’s security solution. When considering security solution we cannot separate IT Security from Business resiliency. How we can make IT environment secured resilient in cloud computing environment? Business resilience has moved us from the sense of reacting and then recovering from an event to becoming impervious to the event. Business continuity focus upon a defensive resilience posture, it consist of three building blocks – Recovery, Hardening and Redundancy – these are widely recognized as vital components  for successful business continuity plans. A defensive posture is useful in protecting the organization and its revenue streams but it does not directly help the bottom line.

An offensive resilience posture also consists of three building blocks, which are focused upon improving the organization’s competitive position – Accessibility, Diversification and Autonomic computing. In cloud computing environment these three components are become more critical, as we need to add security. In practice these building blocks can be used all together or in various combinations depending upon need. For example diversifying operations might allow hardening to be limited other than at sites where critical applications and data reside. Business resilience encompass business as well as IT Operations and it can be thought of as spanning six discrete layers: Strategy, Organization, Process, data/application, technology and facilities/security. We need to consider all six services layers.

Developing a security system model is the first step of architecting security solution. Common Criteria are considered to be the description of the complete function of the security system model. Common Criteria provide a taxonomy for evaluating security functionality through a set of functional and assurance requirements. The Common Criteria include 11 functional classes of requirements:

1.     Security audit

2.     Communication

3.     Cryptographic support

4.     User data protection

5.     Identification and authentication

6.     Management of security functions

7.     Privacy

8.     Protection of security functions

9.     Resource utilization

10.  Component access

11.  Trusted path or channel

These 11 functional classes are further divided into 66 families, each containing a number of component criteria. There are approximately 130 component criteria currently documented, with the recognition that designers may add additional component criteria to a specific design. There is a formal process for adopting component criteria through the Common Criteria administrative body, which can be found at: http://csrc.nist.gov/cc/

The Common Criteria functional criteria are re-aggregated by adopting multiple steps that include removing the class and family structures. An analysis of the 130 component-level requirements in relation to their function within an NIS solution suggests a partitioning into five operational categories or security sub system:

Security audit subsystem:

Solution Integrity Subsystem

Access control subsystem:

Information flow control subsystem:

Identity or credential subsystem

To design this complex security systems need a robust method and security and business continuity group need to work together to architect the secure solution that can sustain today’s cloud computing environment.